bumblebee | 8635911b8839322e420f9b53a075642e91ef3c71176109ab0a73df78345b56ae | Triage

Analysis

max time kernel
1787s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 18:54

Sharing

Report Analysis Logs

General

Target

bb.dll
Size

966KB
MD5

6e780435da8461940fc822f31b7368d2
SHA1

1f9467a1495ee143588e9b53f0a5b1ebe311d4b5
SHA256

0a4af4996a5f1c091cde6b18907c08fe31f373d7477d2f524161a45d130a1fac
SHA512

76d9bf6522278d9b9d7f3979bccbb894684cea1e87c034fcd71860e969fc367f6a7a42f67184296cdeb5f77a2893c307868f8bd0f6c4d0f548a09549b05833fe
SSDEEP

12288:+s+DiK3N/x/8rwMAImFetO29Qvnr7iL7/FXQ6e4HP5kGpmaJTWPa5bi5pguM649J:+FgxAIyDvn9kqCtwWi5iukff

Score

10^/10

bumblebee 0311t2 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0311t2

C2

39.65.8.170:443

103.144.139.156:443

107.189.30.231:443

91.245.254.101:443

194.135.33.127:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 64 IoCs

flow	pid	Process
23	2356	rundll32.exe
33	2356	rundll32.exe
36	2356	rundll32.exe
40	2356	rundll32.exe
41	2356	rundll32.exe
49	2356	rundll32.exe
50	2356	rundll32.exe
53	2356	rundll32.exe
56	2356	rundll32.exe
58	2356	rundll32.exe
59	2356	rundll32.exe
61	2356	rundll32.exe
62	2356	rundll32.exe
64	2356	rundll32.exe
69	2356	rundll32.exe
70	2356	rundll32.exe
71	2356	rundll32.exe
72	2356	rundll32.exe
74	2356	rundll32.exe
75	2356	rundll32.exe
77	2356	rundll32.exe
78	2356	rundll32.exe
79	2356	rundll32.exe
80	2356	rundll32.exe
82	2356	rundll32.exe
83	2356	rundll32.exe
85	2356	rundll32.exe
86	2356	rundll32.exe
87	2356	rundll32.exe
89	2356	rundll32.exe
90	2356	rundll32.exe
92	2356	rundll32.exe
93	2356	rundll32.exe
95	2356	rundll32.exe
96	2356	rundll32.exe
97	2356	rundll32.exe
98	2356	rundll32.exe
99	2356	rundll32.exe
100	2356	rundll32.exe
102	2356	rundll32.exe
103	2356	rundll32.exe
105	2356	rundll32.exe
106	2356	rundll32.exe
108	2356	rundll32.exe
109	2356	rundll32.exe
111	2356	rundll32.exe
112	2356	rundll32.exe
113	2356	rundll32.exe
116	2356	rundll32.exe
117	2356	rundll32.exe
118	2356	rundll32.exe
120	2356	rundll32.exe
122	2356	rundll32.exe
123	2356	rundll32.exe
124	2356	rundll32.exe
126	2356	rundll32.exe
127	2356	rundll32.exe
129	2356	rundll32.exe
130	2356	rundll32.exe
132	2356	rundll32.exe
133	2356	rundll32.exe
134	2356	rundll32.exe
136	2356	rundll32.exe
137	2356	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2356	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-132-0x000001C104EF0000-0x000001C105039000-memory.dmp

Filesize
1.3MB

Download
memory/2356-133-0x000001C1033D0000-0x000001C103446000-memory.dmp

Filesize
472KB

Download